With more APIs in circulation than ever before, there has been a direct correlation to the number of API abuses reported across industries. This is because APIs are such a valuable asset to bad actors, but many organizations have not yet woken up to the realities of the need to protect their APIs from abuse. If you couple that with the fact that attacks on APIs have become more sophisticated, with some attackers even using AI themselves, then you can see why even some of the more security-conscious organizations can have trouble properly securing their APIs. A robust API Security posture can be broken down into several areas including: Proper design and coding during the development process API governance and compliance through visibility of all your APIs (shadow too!) and a mapping of how they connect to each other. General application and API protection from tools such as API gateways, WAFs, NG-WAF, and RASPS An always-updating understanding of your user behaviors regarding your APIs. You won’t have comprehensive API security without solutions in each of these areas. We will also discuss: The roles of API developers, infosec, support, and enterprise architects as it relates to API security Microservices role in making it difficult to secure your APIs The importance of inventorying your APIs How technologies like Traceable can help protect your APIs against advanced attacks Key takeaways: Why your API's are a key attack surface for modern bad actors Why APi's are so much harder to secure than traditional web traffic What's necessary to secure your APIs Why yesterday's solutions can't solve today's new API security challenges

1. API Security
Everything You Need to Know to Protect Your APIs
Mar 17, 2021
Visibility • Protection • Resolution
Doc ver: 2021-03-04-01
Aaron Lieberman
Big Compass
Cloud Practice Manager and Architect
Dan Gordon
Traceable AI
Dir, Technical Evangelism

2. https://traceable.ai
1. API landscape
2. Microservices role in API security
3. The difficult task of protecting APIs
4. How visibility relates to API security
5. Business roles
6. Layered API security
7. Traceable Defense AI
8. Q&A
Agenda
Based on Aaron’s new e-book
The Practical Guide to API Security:

3. ● MuleSoft, AWS, Confluent, Salesforce, and
Boomi partners
● Consulting - specializing in integrations,
related technologies, API development, and
API security
● We build connections between systems,
applications, people, and ideas
Introductions
● Cloud Practice Manager and
Architect at Big Compass
● API security practitioner
● API enthusiast, developer,
designer, and owner
● Denver MuleSoft Meetup Leader
and Presenter
● All Things Integration Meetup
Leader and Presenter
● Speaker, blogger, writer
Aaron Lieberman

4. Polling Question #1

5. API Landscape

6. API Growth
https://blog.postman.com/api-growth-rate/

7. Current API Landscape
https://blog.postman.com/api-growth-rate/

8. Current API
Threats
Landscape
10 - 55 Attacks
Per Month
51 - 200 Attacks
Per Month
Experienced API
Security Incident
Last Year
56% 22% 91%
Cyber Attack Report

9. API Attacks
Affect
Everyone “50 million Facebook accounts breached by
access-token-harvesting attack”
“T-Mobile Alerts 2.3 Million
Customers of Data Breach Tied to
Leaky API”
“US Postal Service Exposes 60 Million Users
in API Snafu”

10. API Visibility

11. ● Massive growth in APIs
● Organizations commonly deploy APIs without
documenting
● Inventory management of APIs is crucial
API Evolution

12. ● An API inventory is crucial to protecting your APIs
● You can’t protect what you don’t know about!
● Inventory is the first step in protecting your APIs
API
Protection

13. Security Across
Microservices

14. Microservices
Landscape
2018 Cloud Microservices
Revenue
2023 Projected Cloud
Microservices Revenue
$683.2M $1,880M
Microservices Report 2
Microservices Growth Rate Per Year
27.4%
Microservices Report

15. Monolith vs. Microservices
Monolithic Architecture Microservices Architecture

16. Traceability
Is Key
● APIs are decoupled from orchestration and business logic
● More microservices mean greater need to track
communication across all distributed services to detect
abnormal behavior
● Not just monitoring 1 system, you are monitoring many
distributed microservices

17. The Difficult Task of
Protecting APIs

18. API Attack Detection Data
Average Cost of Data
Breach
Time to Identify and Contain
a Breach
Average Records Stolen in
Data Breach
$3.92M 279 days 25,575

19. ● API breaches can take months or years to detect
● High volume of traffic across many APIs
● High velocity connections
● Diverse traffic running through many APIs
● API ownership is not always clear
● Advanced API attacks reduce effectiveness of
traditional API security measures
API Attack
Detection

20. Advanced
API Attacks
● OWASP API Top 10 identifies known attacks
● Hackers launch advanced attacks using ML/AI
● Advanced attacks are unpredictable

21. Polling Question #2

22. Business Roles

23. ● Enterprise Architects
● API Developers
● Information Security
● Operations/Support
Business Roles
Necessary to Protect
APIs

24. Roles in API Security

25. Layered API Security

26. ● Protects against brute force attacks and other
simple attacks
● Gateway security measures
○ OAuth 2.0
○ Rate limiting
○ IP whitelisting
○ Client ID enforcement
○ JWT
○ SAML
First Line of
Defense - API
Gateway
Security

27. ● Protects against some of the OWASP Top 10 Attacks
● Entry point to API Gateway and backend services
and detects attacks such as
○ SQL injection
○ Cross site scripting
○ DDoS
Second Line of
Defense -
WAF/RASP

28. ● Last line of defense that models the behavior of your
API
● Can detect deviations from normal behavior
● Protects against advanced attacks from
○ Stolen tokens
○ Insider threats
○ Stolen credentials
○ Authenticated access
Third Line of
Defense -
ML/AI

29. A New Approach to
Application & API Protection

30. Traceable Defense AI
Hypertrace
Distributed Tracing
Trace AI Platform
Unsupervised Machine Learning
Defense AI
30
Real-time complete
service, API, & data
visibility
Visibility
(WAF+RASP+API)++
AI first, no rules
required, low false
positives
Protection
Per transaction
contextual data for
Dev, Sec, and Ops
Resolution

31. 31
● Complete
visualization of
your apps
● Understands
interactions between
your services
● Understands flow of
traffic between
services
● Understands who’s
using your services
● Understands data
flow between
services
Visibility - Complete app security discovery & observability

32. Visibility - Real-time API Discovery & Risk Scoring
32
● Discovers
external and
internal API
usage in
real-time
● Continuous API
endpoint risk
scoring based
on API
Intelligence
● Understands &
models API
behavior
● No more shadow
API’s

33. Protection - AI First Detection, No Rules Required
● Beyond WAFs & RASPS
- no rules required,
low false positives
● Protects against
OWASP & OWASP API
top 10 threat lists
● User focused threat
activity timelines
● Evolve defenses to
match continuously
changing threats and
application
architectures
33

34. 34
● Understands user
behavior
● Detects & blocks
anomalous user
behavior
● Prevents fraud
attacks
● Stops data
breaches
Protection - Block sophisticated business logic attacks

35. 35
● Per transaction
explorable data lake
for forensics and
troubleshooting
● Increase resolution
velocity due to
shared visibility
● Closely align SecOps
and Dev teams
● Help developers to
understand API
security risks
Resolution - Contextual Data for Dev, Sec and Ops

36. https://traceable.ai
Q&A
Visit us to learn more:
Visibility • Protection • Resolution
https://www.bigcompass.com

37. Appendix

38. Helpful Links
and
References
● IBM Breach Data Report
● Data Breach Statistics
● API Attack Statistics
● Big Compass eBooks